From 588251c5a98dfdf3a9d160611897992a6f7bc8b3 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 15 Nov 2019 11:13:01 +0800 Subject: [PATCH] 4.4-stable patches added patches: kvm-introduce-kvm_get_arch_capabilities.patch kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch kvm-x86-export-mds_no-0-to-guests-when-tsx-is-enabled.patch kvm-x86-ia32_arch_capabilities-is-always-supported.patch kvm-x86-use-intel-speculation-bugs-and-features-as-derived-in-generic-x86-code.patch x86-bugs-add-itlb_multihit-bug-infrastructure.patch x86-cpu-add-a-helper-function-x86_read_arch_cap_msr.patch x86-cpu-add-a-tsx-cmdline-option-with-tsx-disabled-by-default.patch x86-msr-add-the-ia32_tsx_ctrl-msr.patch x86-speculation-taa-add-documentation-for-tsx-async-abort.patch x86-speculation-taa-add-mitigation-for-tsx-async-abort.patch x86-speculation-taa-add-sysfs-reporting-for-tsx-async-abort.patch x86-speculation-taa-fix-printing-of-taa_msg_smt-on-ibrs_all-cpus.patch x86-tsx-add-auto-option-to-the-tsx-cmdline-parameter.patch x86-tsx-add-config-options-to-set-tsx-on-off-auto.patch --- ...-introduce-kvm_get_arch_capabilities.patch | 60 +++ ..._ia32_arch_capabilities-on-amd-hosts.patch | 124 +++++ ...s_no-0-to-guests-when-tsx-is-enabled.patch | 65 +++ ...rch_capabilities-is-always-supported.patch | 49 ++ ...tures-as-derived-in-generic-x86-code.patch | 60 +++ queue-4.4/series | 15 + ...add-itlb_multihit-bug-infrastructure.patch | 258 +++++++++ ...elper-function-x86_read_arch_cap_msr.patch | 67 +++ ...-option-with-tsx-disabled-by-default.patch | 266 ++++++++++ .../x86-msr-add-the-ia32_tsx_ctrl-msr.patch | 82 +++ ...dd-documentation-for-tsx-async-abort.patch | 489 ++++++++++++++++++ ...a-add-mitigation-for-tsx-async-abort.patch | 302 +++++++++++ ...-sysfs-reporting-for-tsx-async-abort.patch | 119 +++++ ...ting-of-taa_msg_smt-on-ibrs_all-cpus.patch | 49 ++ ...-option-to-the-tsx-cmdline-parameter.patch | 66 +++ ...onfig-options-to-set-tsx-on-off-auto.patch | 137 +++++ 16 files changed, 2208 insertions(+) create mode 100644 queue-4.4/kvm-introduce-kvm_get_arch_capabilities.patch create mode 100644 queue-4.4/kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch create mode 100644 queue-4.4/kvm-x86-export-mds_no-0-to-guests-when-tsx-is-enabled.patch create mode 100644 queue-4.4/kvm-x86-ia32_arch_capabilities-is-always-supported.patch create mode 100644 queue-4.4/kvm-x86-use-intel-speculation-bugs-and-features-as-derived-in-generic-x86-code.patch create mode 100644 queue-4.4/x86-bugs-add-itlb_multihit-bug-infrastructure.patch create mode 100644 queue-4.4/x86-cpu-add-a-helper-function-x86_read_arch_cap_msr.patch create mode 100644 queue-4.4/x86-cpu-add-a-tsx-cmdline-option-with-tsx-disabled-by-default.patch create mode 100644 queue-4.4/x86-msr-add-the-ia32_tsx_ctrl-msr.patch create mode 100644 queue-4.4/x86-speculation-taa-add-documentation-for-tsx-async-abort.patch create mode 100644 queue-4.4/x86-speculation-taa-add-mitigation-for-tsx-async-abort.patch create mode 100644 queue-4.4/x86-speculation-taa-add-sysfs-reporting-for-tsx-async-abort.patch create mode 100644 queue-4.4/x86-speculation-taa-fix-printing-of-taa_msg_smt-on-ibrs_all-cpus.patch create mode 100644 queue-4.4/x86-tsx-add-auto-option-to-the-tsx-cmdline-parameter.patch create mode 100644 queue-4.4/x86-tsx-add-config-options-to-set-tsx-on-off-auto.patch diff --git a/queue-4.4/kvm-introduce-kvm_get_arch_capabilities.patch b/queue-4.4/kvm-introduce-kvm_get_arch_capabilities.patch new file mode 100644 index 00000000000..6af68a00198 --- /dev/null +++ b/queue-4.4/kvm-introduce-kvm_get_arch_capabilities.patch @@ -0,0 +1,60 @@ +From foo@baz Fri 15 Nov 2019 11:09:57 AM CST +From: Ben Hutchings +Date: Tue, 8 Oct 2019 23:35:30 +0100 +Subject: KVM: Introduce kvm_get_arch_capabilities() + +From: Ben Hutchings + +Extracted from commit 5b76a3cff011 "KVM: VMX: Tell the nested +hypervisor to skip L1D flush on vmentry". We will need this to let a +nested hypervisor know that we have applied the mitigation for TAA. + +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm_host.h | 1 + + arch/x86/kvm/vmx.c | 3 +-- + arch/x86/kvm/x86.c | 10 ++++++++++ + 3 files changed, 12 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -1226,6 +1226,7 @@ void kvm_vcpu_reload_apic_access_page(st + void kvm_arch_mmu_notifier_invalidate_page(struct kvm *kvm, + unsigned long address); + ++u64 kvm_get_arch_capabilities(void); + void kvm_define_shared_msr(unsigned index, u32 msr); + int kvm_set_shared_msr(unsigned index, u64 val, u64 mask); + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -5079,8 +5079,7 @@ static int vmx_vcpu_setup(struct vcpu_vm + ++vmx->nmsrs; + } + +- if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES)) +- rdmsrl(MSR_IA32_ARCH_CAPABILITIES, vmx->arch_capabilities); ++ vmx->arch_capabilities = kvm_get_arch_capabilities(); + + vm_exit_controls_init(vmx, vmcs_config.vmexit_ctrl); + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -995,6 +995,16 @@ static u32 emulated_msrs[] = { + + static unsigned num_emulated_msrs; + ++u64 kvm_get_arch_capabilities(void) ++{ ++ u64 data; ++ ++ rdmsrl_safe(MSR_IA32_ARCH_CAPABILITIES, &data); ++ ++ return data; ++} ++EXPORT_SYMBOL_GPL(kvm_get_arch_capabilities); ++ + static bool __kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) + { + if (efer & EFER_FFXSR) { diff --git a/queue-4.4/kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch b/queue-4.4/kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch new file mode 100644 index 00000000000..3a7bea39a7d --- /dev/null +++ b/queue-4.4/kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch @@ -0,0 +1,124 @@ +From foo@baz Fri 15 Nov 2019 11:09:57 AM CST +From: Sean Christopherson +Date: Thu, 7 Mar 2019 15:43:02 -0800 +Subject: KVM: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts + +From: Sean Christopherson + +commit 0cf9135b773bf32fba9dd8e6699c1b331ee4b749 upstream. + +The CPUID flag ARCH_CAPABILITIES is unconditioinally exposed to host +userspace for all x86 hosts, i.e. KVM advertises ARCH_CAPABILITIES +regardless of hardware support under the pretense that KVM fully +emulates MSR_IA32_ARCH_CAPABILITIES. Unfortunately, only VMX hosts +handle accesses to MSR_IA32_ARCH_CAPABILITIES (despite KVM_GET_MSRS +also reporting MSR_IA32_ARCH_CAPABILITIES for all hosts). + +Move the MSR_IA32_ARCH_CAPABILITIES handling to common x86 code so +that it's emulated on AMD hosts. + +Fixes: 1eaafe91a0df4 ("kvm: x86: IA32_ARCH_CAPABILITIES is always supported") +Cc: stable@vger.kernel.org +Reported-by: Xiaoyao Li +Cc: Jim Mattson +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +[bwh: Backported to 4.4: adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm_host.h | 1 + + arch/x86/kvm/vmx.c | 14 -------------- + arch/x86/kvm/x86.c | 12 ++++++++++++ + 3 files changed, 13 insertions(+), 14 deletions(-) + +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -408,6 +408,7 @@ struct kvm_vcpu_arch { + u64 smbase; + bool tpr_access_reporting; + u64 ia32_xss; ++ u64 arch_capabilities; + + /* + * Paging state of the vcpu +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -546,7 +546,6 @@ struct vcpu_vmx { + u64 msr_guest_kernel_gs_base; + #endif + +- u64 arch_capabilities; + u64 spec_ctrl; + + u32 vm_entry_controls_shadow; +@@ -2866,12 +2865,6 @@ static int vmx_get_msr(struct kvm_vcpu * + + msr_info->data = to_vmx(vcpu)->spec_ctrl; + break; +- case MSR_IA32_ARCH_CAPABILITIES: +- if (!msr_info->host_initiated && +- !guest_cpuid_has_arch_capabilities(vcpu)) +- return 1; +- msr_info->data = to_vmx(vcpu)->arch_capabilities; +- break; + case MSR_IA32_SYSENTER_CS: + msr_info->data = vmcs_read32(GUEST_SYSENTER_CS); + break; +@@ -3028,11 +3021,6 @@ static int vmx_set_msr(struct kvm_vcpu * + vmx_disable_intercept_for_msr(vmx->vmcs01.msr_bitmap, MSR_IA32_PRED_CMD, + MSR_TYPE_W); + break; +- case MSR_IA32_ARCH_CAPABILITIES: +- if (!msr_info->host_initiated) +- return 1; +- vmx->arch_capabilities = data; +- break; + case MSR_IA32_CR_PAT: + if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) { + if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data)) +@@ -5079,8 +5067,6 @@ static int vmx_vcpu_setup(struct vcpu_vm + ++vmx->nmsrs; + } + +- vmx->arch_capabilities = kvm_get_arch_capabilities(); +- + vm_exit_controls_init(vmx, vmcs_config.vmexit_ctrl); + + /* 22.2.1, 20.8.1 */ +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2080,6 +2080,11 @@ int kvm_set_msr_common(struct kvm_vcpu * + case MSR_AMD64_BU_CFG2: + break; + ++ case MSR_IA32_ARCH_CAPABILITIES: ++ if (!msr_info->host_initiated) ++ return 1; ++ vcpu->arch.arch_capabilities = data; ++ break; + case MSR_EFER: + return set_efer(vcpu, msr_info); + case MSR_K7_HWCR: +@@ -2354,6 +2359,12 @@ int kvm_get_msr_common(struct kvm_vcpu * + case MSR_IA32_UCODE_REV: + msr_info->data = 0x100000000ULL; + break; ++ case MSR_IA32_ARCH_CAPABILITIES: ++ if (!msr_info->host_initiated && ++ !guest_cpuid_has_arch_capabilities(vcpu)) ++ return 1; ++ msr_info->data = vcpu->arch.arch_capabilities; ++ break; + case MSR_MTRRcap: + case 0x200 ... 0x2ff: + return kvm_mtrr_get_msr(vcpu, msr_info->index, &msr_info->data); +@@ -7402,6 +7413,7 @@ int kvm_arch_vcpu_setup(struct kvm_vcpu + { + int r; + ++ vcpu->arch.arch_capabilities = kvm_get_arch_capabilities(); + kvm_vcpu_mtrr_init(vcpu); + r = vcpu_load(vcpu); + if (r) diff --git a/queue-4.4/kvm-x86-export-mds_no-0-to-guests-when-tsx-is-enabled.patch b/queue-4.4/kvm-x86-export-mds_no-0-to-guests-when-tsx-is-enabled.patch new file mode 100644 index 00000000000..677b24fe7af --- /dev/null +++ b/queue-4.4/kvm-x86-export-mds_no-0-to-guests-when-tsx-is-enabled.patch @@ -0,0 +1,65 @@ +From foo@baz Fri 15 Nov 2019 11:09:57 AM CST +From: Pawan Gupta +Date: Wed, 23 Oct 2019 12:23:33 +0200 +Subject: kvm/x86: Export MDS_NO=0 to guests when TSX is enabled + +From: Pawan Gupta + +commit e1d38b63acd843cfdd4222bf19a26700fd5c699e upstream. + +Export the IA32_ARCH_CAPABILITIES MSR bit MDS_NO=0 to guests on TSX +Async Abort(TAA) affected hosts that have TSX enabled and updated +microcode. This is required so that the guests don't complain, + + "Vulnerable: Clear CPU buffers attempted, no microcode" + +when the host has the updated microcode to clear CPU buffers. + +Microcode update also adds support for MSR_IA32_TSX_CTRL which is +enumerated by the ARCH_CAP_TSX_CTRL bit in IA32_ARCH_CAPABILITIES MSR. +Guests can't do this check themselves when the ARCH_CAP_TSX_CTRL bit is +not exported to the guests. + +In this case export MDS_NO=0 to the guests. When guests have +CPUID.MD_CLEAR=1, they deploy MDS mitigation which also mitigates TAA. + +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +Signed-off-by: Thomas Gleixner +Tested-by: Neelima Krishnan +Reviewed-by: Tony Luck +Reviewed-by: Josh Poimboeuf +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1008,6 +1008,25 @@ u64 kvm_get_arch_capabilities(void) + if (!boot_cpu_has_bug(X86_BUG_MDS)) + data |= ARCH_CAP_MDS_NO; + ++ /* ++ * On TAA affected systems, export MDS_NO=0 when: ++ * - TSX is enabled on the host, i.e. X86_FEATURE_RTM=1. ++ * - Updated microcode is present. This is detected by ++ * the presence of ARCH_CAP_TSX_CTRL_MSR and ensures ++ * that VERW clears CPU buffers. ++ * ++ * When MDS_NO=0 is exported, guests deploy clear CPU buffer ++ * mitigation and don't complain: ++ * ++ * "Vulnerable: Clear CPU buffers attempted, no microcode" ++ * ++ * If TSX is disabled on the system, guests are also mitigated against ++ * TAA and clear CPU buffer mitigation is not required for guests. ++ */ ++ if (boot_cpu_has_bug(X86_BUG_TAA) && boot_cpu_has(X86_FEATURE_RTM) && ++ (data & ARCH_CAP_TSX_CTRL_MSR)) ++ data &= ~ARCH_CAP_MDS_NO; ++ + return data; + } + diff --git a/queue-4.4/kvm-x86-ia32_arch_capabilities-is-always-supported.patch b/queue-4.4/kvm-x86-ia32_arch_capabilities-is-always-supported.patch new file mode 100644 index 00000000000..caaeebc5e40 --- /dev/null +++ b/queue-4.4/kvm-x86-ia32_arch_capabilities-is-always-supported.patch @@ -0,0 +1,49 @@ +From foo@baz Fri 15 Nov 2019 11:09:57 AM CST +From: Jim Mattson +Date: Wed, 9 May 2018 14:29:35 -0700 +Subject: kvm: x86: IA32_ARCH_CAPABILITIES is always supported + +From: Jim Mattson + +commit 1eaafe91a0df4157521b6417b3dd8430bf5f52f0 upstream. + +If there is a possibility that a VM may migrate to a Skylake host, +then the hypervisor should report IA32_ARCH_CAPABILITIES.RSBA[bit 2] +as being set (future work, of course). This implies that +CPUID.(EAX=7,ECX=0):EDX.ARCH_CAPABILITIES[bit 29] should be +set. Therefore, kvm should report this CPUID bit as being supported +whether or not the host supports it. Userspace is still free to clear +the bit if it chooses. + +For more information on RSBA, see Intel's white paper, "Retpoline: A +Branch Target Injection Mitigation" (Document Number 337131-001), +currently available at https://bugzilla.kernel.org/show_bug.cgi?id=199511. + +Since the IA32_ARCH_CAPABILITIES MSR is emulated in kvm, there is no +dependency on hardware support for this feature. + +Signed-off-by: Jim Mattson +Reviewed-by: Konrad Rzeszutek Wilk +Fixes: 28c1c9fabf48 ("KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES") +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/cpuid.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -447,6 +447,11 @@ static inline int __do_cpuid_ent(struct + entry->ebx |= F(TSC_ADJUST); + entry->edx &= kvm_cpuid_7_0_edx_x86_features; + cpuid_mask(&entry->edx, CPUID_7_EDX); ++ /* ++ * We emulate ARCH_CAPABILITIES in software even ++ * if the host doesn't support it. ++ */ ++ entry->edx |= F(ARCH_CAPABILITIES); + } else { + entry->ebx = 0; + entry->edx = 0; diff --git a/queue-4.4/kvm-x86-use-intel-speculation-bugs-and-features-as-derived-in-generic-x86-code.patch b/queue-4.4/kvm-x86-use-intel-speculation-bugs-and-features-as-derived-in-generic-x86-code.patch new file mode 100644 index 00000000000..674fe6b0482 --- /dev/null +++ b/queue-4.4/kvm-x86-use-intel-speculation-bugs-and-features-as-derived-in-generic-x86-code.patch @@ -0,0 +1,60 @@ +From foo@baz Fri 15 Nov 2019 11:09:57 AM CST +From: Paolo Bonzini +Date: Mon, 19 Aug 2019 17:24:07 +0200 +Subject: KVM: x86: use Intel speculation bugs and features as derived in generic x86 code + +From: Paolo Bonzini + +commit 0c54914d0c52a15db9954a76ce80fee32cf318f4 upstream. + +Similar to AMD bits, set the Intel bits from the vendor-independent +feature and bug flags, because KVM_GET_SUPPORTED_CPUID does not care +about the vendor and they should be set on AMD processors as well. + +Suggested-by: Jim Mattson +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Thomas Gleixner +[bwh: Backported to 4.4: adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/cpuid.c | 7 +++++++ + arch/x86/kvm/x86.c | 8 ++++++++ + 2 files changed, 15 insertions(+) + +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -447,6 +447,13 @@ static inline int __do_cpuid_ent(struct + entry->ebx |= F(TSC_ADJUST); + entry->edx &= kvm_cpuid_7_0_edx_x86_features; + cpuid_mask(&entry->edx, CPUID_7_EDX); ++ if (boot_cpu_has(X86_FEATURE_IBPB) && ++ boot_cpu_has(X86_FEATURE_IBRS)) ++ entry->edx |= F(SPEC_CTRL); ++ if (boot_cpu_has(X86_FEATURE_STIBP)) ++ entry->edx |= F(INTEL_STIBP); ++ if (boot_cpu_has(X86_FEATURE_SSBD)) ++ entry->edx |= F(SPEC_CTRL_SSBD); + /* + * We emulate ARCH_CAPABILITIES in software even + * if the host doesn't support it. +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1001,8 +1001,16 @@ u64 kvm_get_arch_capabilities(void) + + rdmsrl_safe(MSR_IA32_ARCH_CAPABILITIES, &data); + ++ if (!boot_cpu_has_bug(X86_BUG_CPU_MELTDOWN)) ++ data |= ARCH_CAP_RDCL_NO; ++ if (!boot_cpu_has_bug(X86_BUG_SPEC_STORE_BYPASS)) ++ data |= ARCH_CAP_SSB_NO; ++ if (!boot_cpu_has_bug(X86_BUG_MDS)) ++ data |= ARCH_CAP_MDS_NO; ++ + return data; + } ++ + EXPORT_SYMBOL_GPL(kvm_get_arch_capabilities); + + static bool __kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer) diff --git a/queue-4.4/series b/queue-4.4/series index 3898518b732..6b200d78a6e 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -3,3 +3,18 @@ mips-bcm63xx-fix-switch-core-reset-on-bcm6368.patch powerpc-makefile-use-cflags-y-aflags-y-for-setting-endian-options.patch powerpc-fix-compiling-a-be-kernel-with-a-powerpc64le-toolchain.patch powerpc-boot-request-no-dynamic-linker-for-boot-wrapper.patch +kvm-introduce-kvm_get_arch_capabilities.patch +kvm-x86-emulate-msr_ia32_arch_capabilities-on-amd-hosts.patch +kvm-x86-ia32_arch_capabilities-is-always-supported.patch +kvm-x86-use-intel-speculation-bugs-and-features-as-derived-in-generic-x86-code.patch +x86-msr-add-the-ia32_tsx_ctrl-msr.patch +x86-cpu-add-a-helper-function-x86_read_arch_cap_msr.patch +x86-cpu-add-a-tsx-cmdline-option-with-tsx-disabled-by-default.patch +x86-speculation-taa-add-mitigation-for-tsx-async-abort.patch +x86-speculation-taa-add-sysfs-reporting-for-tsx-async-abort.patch +kvm-x86-export-mds_no-0-to-guests-when-tsx-is-enabled.patch +x86-tsx-add-auto-option-to-the-tsx-cmdline-parameter.patch +x86-speculation-taa-add-documentation-for-tsx-async-abort.patch +x86-tsx-add-config-options-to-set-tsx-on-off-auto.patch +x86-speculation-taa-fix-printing-of-taa_msg_smt-on-ibrs_all-cpus.patch +x86-bugs-add-itlb_multihit-bug-infrastructure.patch diff --git a/queue-4.4/x86-bugs-add-itlb_multihit-bug-infrastructure.patch b/queue-4.4/x86-bugs-add-itlb_multihit-bug-infrastructure.patch new file mode 100644 index 00000000000..6ac2cd9ef21 --- /dev/null +++ b/queue-4.4/x86-bugs-add-itlb_multihit-bug-infrastructure.patch @@ -0,0 +1,258 @@ +From foo@baz Fri 15 Nov 2019 11:09:57 AM CST +From: Vineela Tummalapalli +Date: Mon, 4 Nov 2019 12:22:01 +0100 +Subject: x86/bugs: Add ITLB_MULTIHIT bug infrastructure + +From: Vineela Tummalapalli + +commit db4d30fbb71b47e4ecb11c4efa5d8aad4b03dfae upstream. + +Some processors may incur a machine check error possibly resulting in an +unrecoverable CPU lockup when an instruction fetch encounters a TLB +multi-hit in the instruction TLB. This can occur when the page size is +changed along with either the physical address or cache type. The relevant +erratum can be found here: + + https://bugzilla.kernel.org/show_bug.cgi?id=205195 + +There are other processors affected for which the erratum does not fully +disclose the impact. + +This issue affects both bare-metal x86 page tables and EPT. + +It can be mitigated by either eliminating the use of large pages or by +using careful TLB invalidations when changing the page size in the page +tables. + +Just like Spectre, Meltdown, L1TF and MDS, a new bit has been allocated in +MSR_IA32_ARCH_CAPABILITIES (PSCHANGE_MC_NO) and will be set on CPUs which +are mitigated against this issue. + +Signed-off-by: Vineela Tummalapalli +Co-developed-by: Pawan Gupta +Signed-off-by: Pawan Gupta +Signed-off-by: Paolo Bonzini +Signed-off-by: Thomas Gleixner +[bwh: Backported to 4.4: + - No support for X86_VENDOR_HYGON, ATOM_AIRMONT_NP + - Adjust context, indentation] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/msr-index.h | 7 ++ + arch/x86/kernel/cpu/bugs.c | 13 ++++ + arch/x86/kernel/cpu/common.c | 61 +++++++++++---------- + drivers/base/cpu.c | 8 ++ + include/linux/cpu.h | 2 + 7 files changed, 65 insertions(+), 28 deletions(-) + +--- a/Documentation/ABI/testing/sysfs-devices-system-cpu ++++ b/Documentation/ABI/testing/sysfs-devices-system-cpu +@@ -280,6 +280,7 @@ What: /sys/devices/system/cpu/vulnerabi + /sys/devices/system/cpu/vulnerabilities/l1tf + /sys/devices/system/cpu/vulnerabilities/mds + /sys/devices/system/cpu/vulnerabilities/tsx_async_abort ++ /sys/devices/system/cpu/vulnerabilities/itlb_multihit + Date: January 2018 + Contact: Linux kernel mailing list + Description: Information about CPU vulnerabilities +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -341,5 +341,6 @@ + #define X86_BUG_MSBDS_ONLY X86_BUG(20) /* CPU is only affected by the MSDBS variant of BUG_MDS */ + #define X86_BUG_SWAPGS X86_BUG(21) /* CPU is affected by speculation through SWAPGS */ + #define X86_BUG_TAA X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */ ++#define X86_BUG_ITLB_MULTIHIT X86_BUG(23) /* CPU may incur MCE during certain page attribute changes */ + + #endif /* _ASM_X86_CPUFEATURES_H */ +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -71,6 +71,13 @@ + * Microarchitectural Data + * Sampling (MDS) vulnerabilities. + */ ++#define ARCH_CAP_PSCHANGE_MC_NO BIT(6) /* ++ * The processor is not susceptible to a ++ * machine check error due to modifying the ++ * code page size along with either the ++ * physical address or cache type ++ * without TLB invalidation. ++ */ + #define ARCH_CAP_TSX_CTRL_MSR BIT(7) /* MSR for TSX control is available. */ + #define ARCH_CAP_TAA_NO BIT(8) /* + * Not susceptible to +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1277,6 +1277,11 @@ static void __init l1tf_select_mitigatio + + #ifdef CONFIG_SYSFS + ++static ssize_t itlb_multihit_show_state(char *buf) ++{ ++ return sprintf(buf, "Processor vulnerable\n"); ++} ++ + static ssize_t mds_show_state(char *buf) + { + #ifdef CONFIG_HYPERVISOR_GUEST +@@ -1379,6 +1384,9 @@ static ssize_t cpu_show_common(struct de + case X86_BUG_TAA: + return tsx_async_abort_show_state(buf); + ++ case X86_BUG_ITLB_MULTIHIT: ++ return itlb_multihit_show_state(buf); ++ + default: + break; + } +@@ -1420,4 +1428,9 @@ ssize_t cpu_show_tsx_async_abort(struct + { + return cpu_show_common(dev, attr, buf, X86_BUG_TAA); + } ++ ++ssize_t cpu_show_itlb_multihit(struct device *dev, struct device_attribute *attr, char *buf) ++{ ++ return cpu_show_common(dev, attr, buf, X86_BUG_ITLB_MULTIHIT); ++} + #endif +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -847,13 +847,14 @@ static void identify_cpu_without_cpuid(s + #endif + } + +-#define NO_SPECULATION BIT(0) +-#define NO_MELTDOWN BIT(1) +-#define NO_SSB BIT(2) +-#define NO_L1TF BIT(3) +-#define NO_MDS BIT(4) +-#define MSBDS_ONLY BIT(5) +-#define NO_SWAPGS BIT(6) ++#define NO_SPECULATION BIT(0) ++#define NO_MELTDOWN BIT(1) ++#define NO_SSB BIT(2) ++#define NO_L1TF BIT(3) ++#define NO_MDS BIT(4) ++#define MSBDS_ONLY BIT(5) ++#define NO_SWAPGS BIT(6) ++#define NO_ITLB_MULTIHIT BIT(7) + + #define VULNWL(_vendor, _family, _model, _whitelist) \ + { X86_VENDOR_##_vendor, _family, _model, X86_FEATURE_ANY, _whitelist } +@@ -871,26 +872,26 @@ static const __initconst struct x86_cpu_ + VULNWL(NSC, 5, X86_MODEL_ANY, NO_SPECULATION), + + /* Intel Family 6 */ +- VULNWL_INTEL(ATOM_SALTWELL, NO_SPECULATION), +- VULNWL_INTEL(ATOM_SALTWELL_TABLET, NO_SPECULATION), +- VULNWL_INTEL(ATOM_SALTWELL_MID, NO_SPECULATION), +- VULNWL_INTEL(ATOM_BONNELL, NO_SPECULATION), +- VULNWL_INTEL(ATOM_BONNELL_MID, NO_SPECULATION), +- +- VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), +- VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), +- VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), +- VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), +- VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), +- VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS), ++ VULNWL_INTEL(ATOM_SALTWELL, NO_SPECULATION | NO_ITLB_MULTIHIT), ++ VULNWL_INTEL(ATOM_SALTWELL_TABLET, NO_SPECULATION | NO_ITLB_MULTIHIT), ++ VULNWL_INTEL(ATOM_SALTWELL_MID, NO_SPECULATION | NO_ITLB_MULTIHIT), ++ VULNWL_INTEL(ATOM_BONNELL, NO_SPECULATION | NO_ITLB_MULTIHIT), ++ VULNWL_INTEL(ATOM_BONNELL_MID, NO_SPECULATION | NO_ITLB_MULTIHIT), ++ ++ VULNWL_INTEL(ATOM_SILVERMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS | NO_ITLB_MULTIHIT), ++ VULNWL_INTEL(ATOM_SILVERMONT_X, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS | NO_ITLB_MULTIHIT), ++ VULNWL_INTEL(ATOM_SILVERMONT_MID, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS | NO_ITLB_MULTIHIT), ++ VULNWL_INTEL(ATOM_AIRMONT, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS | NO_ITLB_MULTIHIT), ++ VULNWL_INTEL(XEON_PHI_KNL, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS | NO_ITLB_MULTIHIT), ++ VULNWL_INTEL(XEON_PHI_KNM, NO_SSB | NO_L1TF | MSBDS_ONLY | NO_SWAPGS | NO_ITLB_MULTIHIT), + + VULNWL_INTEL(CORE_YONAH, NO_SSB), + +- VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY | NO_SWAPGS), ++ VULNWL_INTEL(ATOM_AIRMONT_MID, NO_L1TF | MSBDS_ONLY | NO_SWAPGS | NO_ITLB_MULTIHIT), + +- VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS), +- VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF | NO_SWAPGS), +- VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS), ++ VULNWL_INTEL(ATOM_GOLDMONT, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT), ++ VULNWL_INTEL(ATOM_GOLDMONT_X, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT), ++ VULNWL_INTEL(ATOM_GOLDMONT_PLUS, NO_MDS | NO_L1TF | NO_SWAPGS | NO_ITLB_MULTIHIT), + + /* + * Technically, swapgs isn't serializing on AMD (despite it previously +@@ -901,13 +902,13 @@ static const __initconst struct x86_cpu_ + */ + + /* AMD Family 0xf - 0x12 */ +- VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), +- VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), +- VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), +- VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS), ++ VULNWL_AMD(0x0f, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT), ++ VULNWL_AMD(0x10, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT), ++ VULNWL_AMD(0x11, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT), ++ VULNWL_AMD(0x12, NO_MELTDOWN | NO_SSB | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT), + + /* FAMILY_ANY must be last, otherwise 0x0f - 0x12 matches won't work */ +- VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS), ++ VULNWL_AMD(X86_FAMILY_ANY, NO_MELTDOWN | NO_L1TF | NO_MDS | NO_SWAPGS | NO_ITLB_MULTIHIT), + {} + }; + +@@ -932,6 +933,10 @@ static void __init cpu_set_bug_bits(stru + { + u64 ia32_cap = x86_read_arch_cap_msr(); + ++ /* Set ITLB_MULTIHIT bug if cpu is not in the whitelist and not mitigated */ ++ if (!cpu_matches(NO_ITLB_MULTIHIT) && !(ia32_cap & ARCH_CAP_PSCHANGE_MC_NO)) ++ setup_force_cpu_bug(X86_BUG_ITLB_MULTIHIT); ++ + if (cpu_matches(NO_SPECULATION)) + return; + +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -543,6 +543,12 @@ ssize_t __weak cpu_show_tsx_async_abort( + return sprintf(buf, "Not affected\n"); + } + ++ssize_t __weak cpu_show_itlb_multihit(struct device *dev, ++ struct device_attribute *attr, char *buf) ++{ ++ return sprintf(buf, "Not affected\n"); ++} ++ + static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); + static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); + static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL); +@@ -550,6 +556,7 @@ static DEVICE_ATTR(spec_store_bypass, 04 + static DEVICE_ATTR(l1tf, 0444, cpu_show_l1tf, NULL); + static DEVICE_ATTR(mds, 0444, cpu_show_mds, NULL); + static DEVICE_ATTR(tsx_async_abort, 0444, cpu_show_tsx_async_abort, NULL); ++static DEVICE_ATTR(itlb_multihit, 0444, cpu_show_itlb_multihit, NULL); + + static struct attribute *cpu_root_vulnerabilities_attrs[] = { + &dev_attr_meltdown.attr, +@@ -559,6 +566,7 @@ static struct attribute *cpu_root_vulner + &dev_attr_l1tf.attr, + &dev_attr_mds.attr, + &dev_attr_tsx_async_abort.attr, ++ &dev_attr_itlb_multihit.attr, + NULL + }; + +--- a/include/linux/cpu.h ++++ b/include/linux/cpu.h +@@ -55,6 +55,8 @@ extern ssize_t cpu_show_mds(struct devic + extern ssize_t cpu_show_tsx_async_abort(struct device *dev, + struct device_attribute *attr, + char *buf); ++extern ssize_t cpu_show_itlb_multihit(struct device *dev, ++ struct device_attribute *attr, char *buf); + + extern __printf(4, 5) + struct device *cpu_device_create(struct device *parent, void *drvdata, diff --git a/queue-4.4/x86-cpu-add-a-helper-function-x86_read_arch_cap_msr.patch b/queue-4.4/x86-cpu-add-a-helper-function-x86_read_arch_cap_msr.patch new file mode 100644 index 00000000000..4f8741c2982 --- /dev/null +++ b/queue-4.4/x86-cpu-add-a-helper-function-x86_read_arch_cap_msr.patch @@ -0,0 +1,67 @@ +From foo@baz Fri 15 Nov 2019 11:09:57 AM CST +From: Pawan Gupta +Date: Wed, 23 Oct 2019 10:52:35 +0200 +Subject: x86/cpu: Add a helper function x86_read_arch_cap_msr() + +From: Pawan Gupta + +commit 286836a70433fb64131d2590f4bf512097c255e1 upstream. + +Add a helper function to read the IA32_ARCH_CAPABILITIES MSR. + +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +Signed-off-by: Thomas Gleixner +Tested-by: Neelima Krishnan +Reviewed-by: Mark Gross +Reviewed-by: Tony Luck +Reviewed-by: Josh Poimboeuf +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/common.c | 15 +++++++++++---- + arch/x86/kernel/cpu/cpu.h | 2 ++ + 2 files changed, 13 insertions(+), 4 deletions(-) + +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -918,19 +918,26 @@ static bool __init cpu_matches(unsigned + return m && !!(m->driver_data & which); + } + +-static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) ++u64 x86_read_arch_cap_msr(void) + { + u64 ia32_cap = 0; + ++ if (boot_cpu_has(X86_FEATURE_ARCH_CAPABILITIES)) ++ rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap); ++ ++ return ia32_cap; ++} ++ ++static void __init cpu_set_bug_bits(struct cpuinfo_x86 *c) ++{ ++ u64 ia32_cap = x86_read_arch_cap_msr(); ++ + if (cpu_matches(NO_SPECULATION)) + return; + + setup_force_cpu_bug(X86_BUG_SPECTRE_V1); + setup_force_cpu_bug(X86_BUG_SPECTRE_V2); + +- if (cpu_has(c, X86_FEATURE_ARCH_CAPABILITIES)) +- rdmsrl(MSR_IA32_ARCH_CAPABILITIES, ia32_cap); +- + if (!cpu_matches(NO_SSB) && !(ia32_cap & ARCH_CAP_SSB_NO) && + !cpu_has(c, X86_FEATURE_AMD_SSB_NO)) + setup_force_cpu_bug(X86_BUG_SPEC_STORE_BYPASS); +--- a/arch/x86/kernel/cpu/cpu.h ++++ b/arch/x86/kernel/cpu/cpu.h +@@ -49,4 +49,6 @@ extern void cpu_detect_cache_sizes(struc + + extern void x86_spec_ctrl_setup_ap(void); + ++extern u64 x86_read_arch_cap_msr(void); ++ + #endif /* ARCH_X86_CPU_H */ diff --git a/queue-4.4/x86-cpu-add-a-tsx-cmdline-option-with-tsx-disabled-by-default.patch b/queue-4.4/x86-cpu-add-a-tsx-cmdline-option-with-tsx-disabled-by-default.patch new file mode 100644 index 00000000000..b9bccbe8ed1 --- /dev/null +++ b/queue-4.4/x86-cpu-add-a-tsx-cmdline-option-with-tsx-disabled-by-default.patch @@ -0,0 +1,266 @@ +From foo@baz Fri 15 Nov 2019 11:09:57 AM CST +From: Pawan Gupta +Date: Wed, 23 Oct 2019 11:01:53 +0200 +Subject: x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default + +From: Pawan Gupta + +commit 95c5824f75f3ba4c9e8e5a4b1a623c95390ac266 upstream. + +Add a kernel cmdline parameter "tsx" to control the Transactional +Synchronization Extensions (TSX) feature. On CPUs that support TSX +control, use "tsx=on|off" to enable or disable TSX. Not specifying this +option is equivalent to "tsx=off". This is because on certain processors +TSX may be used as a part of a speculative side channel attack. + +Carve out the TSX controlling functionality into a separate compilation +unit because TSX is a CPU feature while the TSX async abort control +machinery will go to cpu/bugs.c. + + [ bp: - Massage, shorten and clear the arg buffer. + - Clarifications of the tsx= possible options - Josh. + - Expand on TSX_CTRL availability - Pawan. ] + +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +Signed-off-by: Thomas Gleixner +Reviewed-by: Josh Poimboeuf +[bwh: Backported to 4.4: + - Drop __ro_after_init attribute + - Adjust filenames, context] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/kernel-parameters.txt | 26 +++++++ + arch/x86/kernel/cpu/Makefile | 2 + arch/x86/kernel/cpu/common.c | 2 + arch/x86/kernel/cpu/cpu.h | 16 ++++ + arch/x86/kernel/cpu/intel.c | 5 + + arch/x86/kernel/cpu/tsx.c | 125 ++++++++++++++++++++++++++++++++++++ + 6 files changed, 175 insertions(+), 1 deletion(-) + create mode 100644 arch/x86/kernel/cpu/tsx.c + +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -4052,6 +4052,32 @@ bytes respectively. Such letter suffixes + platforms where RDTSC is slow and this accounting + can add overhead. + ++ tsx= [X86] Control Transactional Synchronization ++ Extensions (TSX) feature in Intel processors that ++ support TSX control. ++ ++ This parameter controls the TSX feature. The options are: ++ ++ on - Enable TSX on the system. Although there are ++ mitigations for all known security vulnerabilities, ++ TSX has been known to be an accelerator for ++ several previous speculation-related CVEs, and ++ so there may be unknown security risks associated ++ with leaving it enabled. ++ ++ off - Disable TSX on the system. (Note that this ++ option takes effect only on newer CPUs which are ++ not vulnerable to MDS, i.e., have ++ MSR_IA32_ARCH_CAPABILITIES.MDS_NO=1 and which get ++ the new IA32_TSX_CTRL MSR through a microcode ++ update. This new MSR allows for the reliable ++ deactivation of the TSX functionality.) ++ ++ Not specifying this option is equivalent to tsx=off. ++ ++ See Documentation/hw-vuln/tsx_async_abort.rst ++ for more details. ++ + turbografx.map[2|3]= [HW,JOY] + TurboGraFX parallel port interface + Format: +--- a/arch/x86/kernel/cpu/Makefile ++++ b/arch/x86/kernel/cpu/Makefile +@@ -21,7 +21,7 @@ obj-y += bugs.o + obj-$(CONFIG_PROC_FS) += proc.o + obj-$(CONFIG_X86_FEATURE_NAMES) += capflags.o powerflags.o + +-obj-$(CONFIG_CPU_SUP_INTEL) += intel.o ++obj-$(CONFIG_CPU_SUP_INTEL) += intel.o tsx.o + obj-$(CONFIG_CPU_SUP_AMD) += amd.o + obj-$(CONFIG_CPU_SUP_CYRIX_32) += cyrix.o + obj-$(CONFIG_CPU_SUP_CENTAUR) += centaur.o +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -1294,6 +1294,8 @@ void __init identify_boot_cpu(void) + enable_sep_cpu(); + #endif + cpu_detect_tlb(&boot_cpu_data); ++ ++ tsx_init(); + } + + void identify_secondary_cpu(struct cpuinfo_x86 *c) +--- a/arch/x86/kernel/cpu/cpu.h ++++ b/arch/x86/kernel/cpu/cpu.h +@@ -44,6 +44,22 @@ struct _tlb_table { + extern const struct cpu_dev *const __x86_cpu_dev_start[], + *const __x86_cpu_dev_end[]; + ++#ifdef CONFIG_CPU_SUP_INTEL ++enum tsx_ctrl_states { ++ TSX_CTRL_ENABLE, ++ TSX_CTRL_DISABLE, ++ TSX_CTRL_NOT_SUPPORTED, ++}; ++ ++extern enum tsx_ctrl_states tsx_ctrl_state; ++ ++extern void __init tsx_init(void); ++extern void tsx_enable(void); ++extern void tsx_disable(void); ++#else ++static inline void tsx_init(void) { } ++#endif /* CONFIG_CPU_SUP_INTEL */ ++ + extern void get_cpu_cap(struct cpuinfo_x86 *c); + extern void cpu_detect_cache_sizes(struct cpuinfo_x86 *c); + +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -582,6 +582,11 @@ static void init_intel(struct cpuinfo_x8 + detect_vmx_virtcap(c); + + init_intel_energy_perf(c); ++ ++ if (tsx_ctrl_state == TSX_CTRL_ENABLE) ++ tsx_enable(); ++ if (tsx_ctrl_state == TSX_CTRL_DISABLE) ++ tsx_disable(); + } + + #ifdef CONFIG_X86_32 +--- /dev/null ++++ b/arch/x86/kernel/cpu/tsx.c +@@ -0,0 +1,125 @@ ++// SPDX-License-Identifier: GPL-2.0 ++/* ++ * Intel Transactional Synchronization Extensions (TSX) control. ++ * ++ * Copyright (C) 2019 Intel Corporation ++ * ++ * Author: ++ * Pawan Gupta ++ */ ++ ++#include ++ ++#include ++ ++#include "cpu.h" ++ ++enum tsx_ctrl_states tsx_ctrl_state = TSX_CTRL_NOT_SUPPORTED; ++ ++void tsx_disable(void) ++{ ++ u64 tsx; ++ ++ rdmsrl(MSR_IA32_TSX_CTRL, tsx); ++ ++ /* Force all transactions to immediately abort */ ++ tsx |= TSX_CTRL_RTM_DISABLE; ++ ++ /* ++ * Ensure TSX support is not enumerated in CPUID. ++ * This is visible to userspace and will ensure they ++ * do not waste resources trying TSX transactions that ++ * will always abort. ++ */ ++ tsx |= TSX_CTRL_CPUID_CLEAR; ++ ++ wrmsrl(MSR_IA32_TSX_CTRL, tsx); ++} ++ ++void tsx_enable(void) ++{ ++ u64 tsx; ++ ++ rdmsrl(MSR_IA32_TSX_CTRL, tsx); ++ ++ /* Enable the RTM feature in the cpu */ ++ tsx &= ~TSX_CTRL_RTM_DISABLE; ++ ++ /* ++ * Ensure TSX support is enumerated in CPUID. ++ * This is visible to userspace and will ensure they ++ * can enumerate and use the TSX feature. ++ */ ++ tsx &= ~TSX_CTRL_CPUID_CLEAR; ++ ++ wrmsrl(MSR_IA32_TSX_CTRL, tsx); ++} ++ ++static bool __init tsx_ctrl_is_supported(void) ++{ ++ u64 ia32_cap = x86_read_arch_cap_msr(); ++ ++ /* ++ * TSX is controlled via MSR_IA32_TSX_CTRL. However, support for this ++ * MSR is enumerated by ARCH_CAP_TSX_MSR bit in MSR_IA32_ARCH_CAPABILITIES. ++ * ++ * TSX control (aka MSR_IA32_TSX_CTRL) is only available after a ++ * microcode update on CPUs that have their MSR_IA32_ARCH_CAPABILITIES ++ * bit MDS_NO=1. CPUs with MDS_NO=0 are not planned to get ++ * MSR_IA32_TSX_CTRL support even after a microcode update. Thus, ++ * tsx= cmdline requests will do nothing on CPUs without ++ * MSR_IA32_TSX_CTRL support. ++ */ ++ return !!(ia32_cap & ARCH_CAP_TSX_CTRL_MSR); ++} ++ ++void __init tsx_init(void) ++{ ++ char arg[4] = {}; ++ int ret; ++ ++ if (!tsx_ctrl_is_supported()) ++ return; ++ ++ ret = cmdline_find_option(boot_command_line, "tsx", arg, sizeof(arg)); ++ if (ret >= 0) { ++ if (!strcmp(arg, "on")) { ++ tsx_ctrl_state = TSX_CTRL_ENABLE; ++ } else if (!strcmp(arg, "off")) { ++ tsx_ctrl_state = TSX_CTRL_DISABLE; ++ } else { ++ tsx_ctrl_state = TSX_CTRL_DISABLE; ++ pr_err("tsx: invalid option, defaulting to off\n"); ++ } ++ } else { ++ /* tsx= not provided, defaulting to off */ ++ tsx_ctrl_state = TSX_CTRL_DISABLE; ++ } ++ ++ if (tsx_ctrl_state == TSX_CTRL_DISABLE) { ++ tsx_disable(); ++ ++ /* ++ * tsx_disable() will change the state of the ++ * RTM CPUID bit. Clear it here since it is now ++ * expected to be not set. ++ */ ++ setup_clear_cpu_cap(X86_FEATURE_RTM); ++ } else if (tsx_ctrl_state == TSX_CTRL_ENABLE) { ++ ++ /* ++ * HW defaults TSX to be enabled at bootup. ++ * We may still need the TSX enable support ++ * during init for special cases like ++ * kexec after TSX is disabled. ++ */ ++ tsx_enable(); ++ ++ /* ++ * tsx_enable() will change the state of the ++ * RTM CPUID bit. Force it here since it is now ++ * expected to be set. ++ */ ++ setup_force_cpu_cap(X86_FEATURE_RTM); ++ } ++} diff --git a/queue-4.4/x86-msr-add-the-ia32_tsx_ctrl-msr.patch b/queue-4.4/x86-msr-add-the-ia32_tsx_ctrl-msr.patch new file mode 100644 index 00000000000..560ac6be2bc --- /dev/null +++ b/queue-4.4/x86-msr-add-the-ia32_tsx_ctrl-msr.patch @@ -0,0 +1,82 @@ +From foo@baz Fri 15 Nov 2019 11:09:57 AM CST +From: Pawan Gupta +Date: Wed, 23 Oct 2019 10:45:50 +0200 +Subject: x86/msr: Add the IA32_TSX_CTRL MSR + +From: Pawan Gupta + +commit c2955f270a84762343000f103e0640d29c7a96f3 upstream. + +Transactional Synchronization Extensions (TSX) may be used on certain +processors as part of a speculative side channel attack. A microcode +update for existing processors that are vulnerable to this attack will +add a new MSR - IA32_TSX_CTRL to allow the system administrator the +option to disable TSX as one of the possible mitigations. + +The CPUs which get this new MSR after a microcode upgrade are the ones +which do not set MSR_IA32_ARCH_CAPABILITIES.MDS_NO (bit 5) because those +CPUs have CPUID.MD_CLEAR, i.e., the VERW implementation which clears all +CPU buffers takes care of the TAA case as well. + + [ Note that future processors that are not vulnerable will also + support the IA32_TSX_CTRL MSR. ] + +Add defines for the new IA32_TSX_CTRL MSR and its bits. + +TSX has two sub-features: + +1. Restricted Transactional Memory (RTM) is an explicitly-used feature + where new instructions begin and end TSX transactions. +2. Hardware Lock Elision (HLE) is implicitly used when certain kinds of + "old" style locks are used by software. + +Bit 7 of the IA32_ARCH_CAPABILITIES indicates the presence of the +IA32_TSX_CTRL MSR. + +There are two control bits in IA32_TSX_CTRL MSR: + + Bit 0: When set, it disables the Restricted Transactional Memory (RTM) + sub-feature of TSX (will force all transactions to abort on the + XBEGIN instruction). + + Bit 1: When set, it disables the enumeration of the RTM and HLE feature + (i.e. it will make CPUID(EAX=7).EBX{bit4} and + CPUID(EAX=7).EBX{bit11} read as 0). + +The other TSX sub-feature, Hardware Lock Elision (HLE), is +unconditionally disabled by the new microcode but still enumerated +as present by CPUID(EAX=7).EBX{bit4}, unless disabled by +IA32_TSX_CTRL_MSR[1] - TSX_CTRL_CPUID_CLEAR. + +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +Signed-off-by: Thomas Gleixner +Tested-by: Neelima Krishnan +Reviewed-by: Mark Gross +Reviewed-by: Tony Luck +Reviewed-by: Josh Poimboeuf +[bwh: Backported to 4.4: adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/msr-index.h | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -71,10 +71,15 @@ + * Microarchitectural Data + * Sampling (MDS) vulnerabilities. + */ ++#define ARCH_CAP_TSX_CTRL_MSR BIT(7) /* MSR for TSX control is available. */ + + #define MSR_IA32_BBL_CR_CTL 0x00000119 + #define MSR_IA32_BBL_CR_CTL3 0x0000011e + ++#define MSR_IA32_TSX_CTRL 0x00000122 ++#define TSX_CTRL_RTM_DISABLE BIT(0) /* Disable RTM feature */ ++#define TSX_CTRL_CPUID_CLEAR BIT(1) /* Disable TSX enumeration */ ++ + #define MSR_IA32_SYSENTER_CS 0x00000174 + #define MSR_IA32_SYSENTER_ESP 0x00000175 + #define MSR_IA32_SYSENTER_EIP 0x00000176 diff --git a/queue-4.4/x86-speculation-taa-add-documentation-for-tsx-async-abort.patch b/queue-4.4/x86-speculation-taa-add-documentation-for-tsx-async-abort.patch new file mode 100644 index 00000000000..a05b6ea7989 --- /dev/null +++ b/queue-4.4/x86-speculation-taa-add-documentation-for-tsx-async-abort.patch @@ -0,0 +1,489 @@ +From foo@baz Fri 15 Nov 2019 11:09:57 AM CST +From: Pawan Gupta +Date: Wed, 23 Oct 2019 12:32:55 +0200 +Subject: x86/speculation/taa: Add documentation for TSX Async Abort + +From: Pawan Gupta + +commit a7a248c593e4fd7a67c50b5f5318fe42a0db335e upstream. + +Add the documenation for TSX Async Abort. Include the description of +the issue, how to check the mitigation state, control the mitigation, +guidance for system administrators. + + [ bp: Add proper SPDX tags, touch ups by Josh and me. ] + +Co-developed-by: Antonio Gomez Iglesias + +Signed-off-by: Pawan Gupta +Signed-off-by: Antonio Gomez Iglesias +Signed-off-by: Borislav Petkov +Signed-off-by: Thomas Gleixner +Reviewed-by: Mark Gross +Reviewed-by: Tony Luck +Reviewed-by: Josh Poimboeuf +[bwh: Backported to 4.4: + - Drop changes to ReST index files + - Drop "nosmt" documentation + - Adjust filenames, context] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/ABI/testing/sysfs-devices-system-cpu | 1 + Documentation/hw-vuln/tsx_async_abort.rst | 268 +++++++++++++++++++++ + Documentation/kernel-parameters.txt | 33 ++ + Documentation/x86/tsx_async_abort.rst | 117 +++++++++ + 4 files changed, 419 insertions(+) + create mode 100644 Documentation/hw-vuln/tsx_async_abort.rst + create mode 100644 Documentation/x86/tsx_async_abort.rst + +--- a/Documentation/ABI/testing/sysfs-devices-system-cpu ++++ b/Documentation/ABI/testing/sysfs-devices-system-cpu +@@ -279,6 +279,7 @@ What: /sys/devices/system/cpu/vulnerabi + /sys/devices/system/cpu/vulnerabilities/spec_store_bypass + /sys/devices/system/cpu/vulnerabilities/l1tf + /sys/devices/system/cpu/vulnerabilities/mds ++ /sys/devices/system/cpu/vulnerabilities/tsx_async_abort + Date: January 2018 + Contact: Linux kernel mailing list + Description: Information about CPU vulnerabilities +--- /dev/null ++++ b/Documentation/hw-vuln/tsx_async_abort.rst +@@ -0,0 +1,268 @@ ++.. SPDX-License-Identifier: GPL-2.0 ++ ++TAA - TSX Asynchronous Abort ++====================================== ++ ++TAA is a hardware vulnerability that allows unprivileged speculative access to ++data which is available in various CPU internal buffers by using asynchronous ++aborts within an Intel TSX transactional region. ++ ++Affected processors ++------------------- ++ ++This vulnerability only affects Intel processors that support Intel ++Transactional Synchronization Extensions (TSX) when the TAA_NO bit (bit 8) ++is 0 in the IA32_ARCH_CAPABILITIES MSR. On processors where the MDS_NO bit ++(bit 5) is 0 in the IA32_ARCH_CAPABILITIES MSR, the existing MDS mitigations ++also mitigate against TAA. ++ ++Whether a processor is affected or not can be read out from the TAA ++vulnerability file in sysfs. See :ref:`tsx_async_abort_sys_info`. ++ ++Related CVEs ++------------ ++ ++The following CVE entry is related to this TAA issue: ++ ++ ============== ===== =================================================== ++ CVE-2019-11135 TAA TSX Asynchronous Abort (TAA) condition on some ++ microprocessors utilizing speculative execution may ++ allow an authenticated user to potentially enable ++ information disclosure via a side channel with ++ local access. ++ ============== ===== =================================================== ++ ++Problem ++------- ++ ++When performing store, load or L1 refill operations, processors write ++data into temporary microarchitectural structures (buffers). The data in ++those buffers can be forwarded to load operations as an optimization. ++ ++Intel TSX is an extension to the x86 instruction set architecture that adds ++hardware transactional memory support to improve performance of multi-threaded ++software. TSX lets the processor expose and exploit concurrency hidden in an ++application due to dynamically avoiding unnecessary synchronization. ++ ++TSX supports atomic memory transactions that are either committed (success) or ++aborted. During an abort, operations that happened within the transactional region ++are rolled back. An asynchronous abort takes place, among other options, when a ++different thread accesses a cache line that is also used within the transactional ++region when that access might lead to a data race. ++ ++Immediately after an uncompleted asynchronous abort, certain speculatively ++executed loads may read data from those internal buffers and pass it to dependent ++operations. This can be then used to infer the value via a cache side channel ++attack. ++ ++Because the buffers are potentially shared between Hyper-Threads cross ++Hyper-Thread attacks are possible. ++ ++The victim of a malicious actor does not need to make use of TSX. Only the ++attacker needs to begin a TSX transaction and raise an asynchronous abort ++which in turn potenitally leaks data stored in the buffers. ++ ++More detailed technical information is available in the TAA specific x86 ++architecture section: :ref:`Documentation/x86/tsx_async_abort.rst `. ++ ++ ++Attack scenarios ++---------------- ++ ++Attacks against the TAA vulnerability can be implemented from unprivileged ++applications running on hosts or guests. ++ ++As for MDS, the attacker has no control over the memory addresses that can ++be leaked. Only the victim is responsible for bringing data to the CPU. As ++a result, the malicious actor has to sample as much data as possible and ++then postprocess it to try to infer any useful information from it. ++ ++A potential attacker only has read access to the data. Also, there is no direct ++privilege escalation by using this technique. ++ ++ ++.. _tsx_async_abort_sys_info: ++ ++TAA system information ++----------------------- ++ ++The Linux kernel provides a sysfs interface to enumerate the current TAA status ++of mitigated systems. The relevant sysfs file is: ++ ++/sys/devices/system/cpu/vulnerabilities/tsx_async_abort ++ ++The possible values in this file are: ++ ++.. list-table:: ++ ++ * - 'Vulnerable' ++ - The CPU is affected by this vulnerability and the microcode and kernel mitigation are not applied. ++ * - 'Vulnerable: Clear CPU buffers attempted, no microcode' ++ - The system tries to clear the buffers but the microcode might not support the operation. ++ * - 'Mitigation: Clear CPU buffers' ++ - The microcode has been updated to clear the buffers. TSX is still enabled. ++ * - 'Mitigation: TSX disabled' ++ - TSX is disabled. ++ * - 'Not affected' ++ - The CPU is not affected by this issue. ++ ++.. _ucode_needed: ++ ++Best effort mitigation mode ++^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++If the processor is vulnerable, but the availability of the microcode-based ++mitigation mechanism is not advertised via CPUID the kernel selects a best ++effort mitigation mode. This mode invokes the mitigation instructions ++without a guarantee that they clear the CPU buffers. ++ ++This is done to address virtualization scenarios where the host has the ++microcode update applied, but the hypervisor is not yet updated to expose the ++CPUID to the guest. If the host has updated microcode the protection takes ++effect; otherwise a few CPU cycles are wasted pointlessly. ++ ++The state in the tsx_async_abort sysfs file reflects this situation ++accordingly. ++ ++ ++Mitigation mechanism ++-------------------- ++ ++The kernel detects the affected CPUs and the presence of the microcode which is ++required. If a CPU is affected and the microcode is available, then the kernel ++enables the mitigation by default. ++ ++ ++The mitigation can be controlled at boot time via a kernel command line option. ++See :ref:`taa_mitigation_control_command_line`. ++ ++.. _virt_mechanism: ++ ++Virtualization mitigation ++^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++Affected systems where the host has TAA microcode and TAA is mitigated by ++having disabled TSX previously, are not vulnerable regardless of the status ++of the VMs. ++ ++In all other cases, if the host either does not have the TAA microcode or ++the kernel is not mitigated, the system might be vulnerable. ++ ++ ++.. _taa_mitigation_control_command_line: ++ ++Mitigation control on the kernel command line ++--------------------------------------------- ++ ++The kernel command line allows to control the TAA mitigations at boot time with ++the option "tsx_async_abort=". The valid arguments for this option are: ++ ++ ============ ============================================================= ++ off This option disables the TAA mitigation on affected platforms. ++ If the system has TSX enabled (see next parameter) and the CPU ++ is affected, the system is vulnerable. ++ ++ full TAA mitigation is enabled. If TSX is enabled, on an affected ++ system it will clear CPU buffers on ring transitions. On ++ systems which are MDS-affected and deploy MDS mitigation, ++ TAA is also mitigated. Specifying this option on those ++ systems will have no effect. ++ ============ ============================================================= ++ ++Not specifying this option is equivalent to "tsx_async_abort=full". ++ ++The kernel command line also allows to control the TSX feature using the ++parameter "tsx=" on CPUs which support TSX control. MSR_IA32_TSX_CTRL is used ++to control the TSX feature and the enumeration of the TSX feature bits (RTM ++and HLE) in CPUID. ++ ++The valid options are: ++ ++ ============ ============================================================= ++ off Disables TSX on the system. ++ ++ Note that this option takes effect only on newer CPUs which are ++ not vulnerable to MDS, i.e., have MSR_IA32_ARCH_CAPABILITIES.MDS_NO=1 ++ and which get the new IA32_TSX_CTRL MSR through a microcode ++ update. This new MSR allows for the reliable deactivation of ++ the TSX functionality. ++ ++ on Enables TSX. ++ ++ Although there are mitigations for all known security ++ vulnerabilities, TSX has been known to be an accelerator for ++ several previous speculation-related CVEs, and so there may be ++ unknown security risks associated with leaving it enabled. ++ ++ auto Disables TSX if X86_BUG_TAA is present, otherwise enables TSX ++ on the system. ++ ============ ============================================================= ++ ++Not specifying this option is equivalent to "tsx=off". ++ ++The following combinations of the "tsx_async_abort" and "tsx" are possible. For ++affected platforms tsx=auto is equivalent to tsx=off and the result will be: ++ ++ ========= ========================== ========================================= ++ tsx=on tsx_async_abort=full The system will use VERW to clear CPU ++ buffers. Cross-thread attacks are still ++ possible on SMT machines. ++ tsx=on tsx_async_abort=off The system is vulnerable. ++ tsx=off tsx_async_abort=full TSX might be disabled if microcode ++ provides a TSX control MSR. If so, ++ system is not vulnerable. ++ tsx=off tsx_async_abort=off ditto ++ ========= ========================== ========================================= ++ ++ ++For unaffected platforms "tsx=on" and "tsx_async_abort=full" does not clear CPU ++buffers. For platforms without TSX control (MSR_IA32_ARCH_CAPABILITIES.MDS_NO=0) ++"tsx" command line argument has no effect. ++ ++For the affected platforms below table indicates the mitigation status for the ++combinations of CPUID bit MD_CLEAR and IA32_ARCH_CAPABILITIES MSR bits MDS_NO ++and TSX_CTRL_MSR. ++ ++ ======= ========= ============= ======================================== ++ MDS_NO MD_CLEAR TSX_CTRL_MSR Status ++ ======= ========= ============= ======================================== ++ 0 0 0 Vulnerable (needs microcode) ++ 0 1 0 MDS and TAA mitigated via VERW ++ 1 1 0 MDS fixed, TAA vulnerable if TSX enabled ++ because MD_CLEAR has no meaning and ++ VERW is not guaranteed to clear buffers ++ 1 X 1 MDS fixed, TAA can be mitigated by ++ VERW or TSX_CTRL_MSR ++ ======= ========= ============= ======================================== ++ ++Mitigation selection guide ++-------------------------- ++ ++1. Trusted userspace and guests ++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++If all user space applications are from a trusted source and do not execute ++untrusted code which is supplied externally, then the mitigation can be ++disabled. The same applies to virtualized environments with trusted guests. ++ ++ ++2. Untrusted userspace and guests ++^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ++ ++If there are untrusted applications or guests on the system, enabling TSX ++might allow a malicious actor to leak data from the host or from other ++processes running on the same physical core. ++ ++If the microcode is available and the TSX is disabled on the host, attacks ++are prevented in a virtualized environment as well, even if the VMs do not ++explicitly enable the mitigation. ++ ++ ++.. _taa_default_mitigations: ++ ++Default mitigations ++------------------- ++ ++The kernel's default action for vulnerable processors is: ++ ++ - Deploy TSX disable mitigation (tsx_async_abort=full tsx=off). +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -2189,6 +2189,7 @@ bytes respectively. Such letter suffixes + spectre_v2_user=off [X86] + spec_store_bypass_disable=off [X86] + mds=off [X86] ++ tsx_async_abort=off [X86] + + auto (default) + Mitigate all CPU vulnerabilities, but leave SMT +@@ -4081,6 +4082,38 @@ bytes respectively. Such letter suffixes + See Documentation/hw-vuln/tsx_async_abort.rst + for more details. + ++ tsx_async_abort= [X86,INTEL] Control mitigation for the TSX Async ++ Abort (TAA) vulnerability. ++ ++ Similar to Micro-architectural Data Sampling (MDS) ++ certain CPUs that support Transactional ++ Synchronization Extensions (TSX) are vulnerable to an ++ exploit against CPU internal buffers which can forward ++ information to a disclosure gadget under certain ++ conditions. ++ ++ In vulnerable processors, the speculatively forwarded ++ data can be used in a cache side channel attack, to ++ access data to which the attacker does not have direct ++ access. ++ ++ This parameter controls the TAA mitigation. The ++ options are: ++ ++ full - Enable TAA mitigation on vulnerable CPUs ++ if TSX is enabled. ++ ++ off - Unconditionally disable TAA mitigation ++ ++ Not specifying this option is equivalent to ++ tsx_async_abort=full. On CPUs which are MDS affected ++ and deploy MDS mitigation, TAA mitigation is not ++ required and doesn't provide any additional ++ mitigation. ++ ++ For details see: ++ Documentation/hw-vuln/tsx_async_abort.rst ++ + turbografx.map[2|3]= [HW,JOY] + TurboGraFX parallel port interface + Format: +--- /dev/null ++++ b/Documentation/x86/tsx_async_abort.rst +@@ -0,0 +1,117 @@ ++.. SPDX-License-Identifier: GPL-2.0 ++ ++TSX Async Abort (TAA) mitigation ++================================ ++ ++.. _tsx_async_abort: ++ ++Overview ++-------- ++ ++TSX Async Abort (TAA) is a side channel attack on internal buffers in some ++Intel processors similar to Microachitectural Data Sampling (MDS). In this ++case certain loads may speculatively pass invalid data to dependent operations ++when an asynchronous abort condition is pending in a Transactional ++Synchronization Extensions (TSX) transaction. This includes loads with no ++fault or assist condition. Such loads may speculatively expose stale data from ++the same uarch data structures as in MDS, with same scope of exposure i.e. ++same-thread and cross-thread. This issue affects all current processors that ++support TSX. ++ ++Mitigation strategy ++------------------- ++ ++a) TSX disable - one of the mitigations is to disable TSX. A new MSR ++IA32_TSX_CTRL will be available in future and current processors after ++microcode update which can be used to disable TSX. In addition, it ++controls the enumeration of the TSX feature bits (RTM and HLE) in CPUID. ++ ++b) Clear CPU buffers - similar to MDS, clearing the CPU buffers mitigates this ++vulnerability. More details on this approach can be found in ++:ref:`Documentation/hw-vuln/mds.rst `. ++ ++Kernel internal mitigation modes ++-------------------------------- ++ ++ ============= ============================================================ ++ off Mitigation is disabled. Either the CPU is not affected or ++ tsx_async_abort=off is supplied on the kernel command line. ++ ++ tsx disabled Mitigation is enabled. TSX feature is disabled by default at ++ bootup on processors that support TSX control. ++ ++ verw Mitigation is enabled. CPU is affected and MD_CLEAR is ++ advertised in CPUID. ++ ++ ucode needed Mitigation is enabled. CPU is affected and MD_CLEAR is not ++ advertised in CPUID. That is mainly for virtualization ++ scenarios where the host has the updated microcode but the ++ hypervisor does not expose MD_CLEAR in CPUID. It's a best ++ effort approach without guarantee. ++ ============= ============================================================ ++ ++If the CPU is affected and the "tsx_async_abort" kernel command line parameter is ++not provided then the kernel selects an appropriate mitigation depending on the ++status of RTM and MD_CLEAR CPUID bits. ++ ++Below tables indicate the impact of tsx=on|off|auto cmdline options on state of ++TAA mitigation, VERW behavior and TSX feature for various combinations of ++MSR_IA32_ARCH_CAPABILITIES bits. ++ ++1. "tsx=off" ++ ++========= ========= ============ ============ ============== =================== ====================== ++MSR_IA32_ARCH_CAPABILITIES bits Result with cmdline tsx=off ++---------------------------------- ------------------------------------------------------------------------- ++TAA_NO MDS_NO TSX_CTRL_MSR TSX state VERW can clear TAA mitigation TAA mitigation ++ after bootup CPU buffers tsx_async_abort=off tsx_async_abort=full ++========= ========= ============ ============ ============== =================== ====================== ++ 0 0 0 HW default Yes Same as MDS Same as MDS ++ 0 0 1 Invalid case Invalid case Invalid case Invalid case ++ 0 1 0 HW default No Need ucode update Need ucode update ++ 0 1 1 Disabled Yes TSX disabled TSX disabled ++ 1 X 1 Disabled X None needed None needed ++========= ========= ============ ============ ============== =================== ====================== ++ ++2. "tsx=on" ++ ++========= ========= ============ ============ ============== =================== ====================== ++MSR_IA32_ARCH_CAPABILITIES bits Result with cmdline tsx=on ++---------------------------------- ------------------------------------------------------------------------- ++TAA_NO MDS_NO TSX_CTRL_MSR TSX state VERW can clear TAA mitigation TAA mitigation ++ after bootup CPU buffers tsx_async_abort=off tsx_async_abort=full ++========= ========= ============ ============ ============== =================== ====================== ++ 0 0 0 HW default Yes Same as MDS Same as MDS ++ 0 0 1 Invalid case Invalid case Invalid case Invalid case ++ 0 1 0 HW default No Need ucode update Need ucode update ++ 0 1 1 Enabled Yes None Same as MDS ++ 1 X 1 Enabled X None needed None needed ++========= ========= ============ ============ ============== =================== ====================== ++ ++3. "tsx=auto" ++ ++========= ========= ============ ============ ============== =================== ====================== ++MSR_IA32_ARCH_CAPABILITIES bits Result with cmdline tsx=auto ++---------------------------------- ------------------------------------------------------------------------- ++TAA_NO MDS_NO TSX_CTRL_MSR TSX state VERW can clear TAA mitigation TAA mitigation ++ after bootup CPU buffers tsx_async_abort=off tsx_async_abort=full ++========= ========= ============ ============ ============== =================== ====================== ++ 0 0 0 HW default Yes Same as MDS Same as MDS ++ 0 0 1 Invalid case Invalid case Invalid case Invalid case ++ 0 1 0 HW default No Need ucode update Need ucode update ++ 0 1 1 Disabled Yes TSX disabled TSX disabled ++ 1 X 1 Enabled X None needed None needed ++========= ========= ============ ============ ============== =================== ====================== ++ ++In the tables, TSX_CTRL_MSR is a new bit in MSR_IA32_ARCH_CAPABILITIES that ++indicates whether MSR_IA32_TSX_CTRL is supported. ++ ++There are two control bits in IA32_TSX_CTRL MSR: ++ ++ Bit 0: When set it disables the Restricted Transactional Memory (RTM) ++ sub-feature of TSX (will force all transactions to abort on the ++ XBEGIN instruction). ++ ++ Bit 1: When set it disables the enumeration of the RTM and HLE feature ++ (i.e. it will make CPUID(EAX=7).EBX{bit4} and ++ CPUID(EAX=7).EBX{bit11} read as 0). diff --git a/queue-4.4/x86-speculation-taa-add-mitigation-for-tsx-async-abort.patch b/queue-4.4/x86-speculation-taa-add-mitigation-for-tsx-async-abort.patch new file mode 100644 index 00000000000..daaedcaebd4 --- /dev/null +++ b/queue-4.4/x86-speculation-taa-add-mitigation-for-tsx-async-abort.patch @@ -0,0 +1,302 @@ +From foo@baz Fri 15 Nov 2019 11:09:57 AM CST +From: Pawan Gupta +Date: Wed, 23 Oct 2019 11:30:45 +0200 +Subject: x86/speculation/taa: Add mitigation for TSX Async Abort + +From: Pawan Gupta + +commit 1b42f017415b46c317e71d41c34ec088417a1883 upstream. + +TSX Async Abort (TAA) is a side channel vulnerability to the internal +buffers in some Intel processors similar to Microachitectural Data +Sampling (MDS). In this case, certain loads may speculatively pass +invalid data to dependent operations when an asynchronous abort +condition is pending in a TSX transaction. + +This includes loads with no fault or assist condition. Such loads may +speculatively expose stale data from the uarch data structures as in +MDS. Scope of exposure is within the same-thread and cross-thread. This +issue affects all current processors that support TSX, but do not have +ARCH_CAP_TAA_NO (bit 8) set in MSR_IA32_ARCH_CAPABILITIES. + +On CPUs which have their IA32_ARCH_CAPABILITIES MSR bit MDS_NO=0, +CPUID.MD_CLEAR=1 and the MDS mitigation is clearing the CPU buffers +using VERW or L1D_FLUSH, there is no additional mitigation needed for +TAA. On affected CPUs with MDS_NO=1 this issue can be mitigated by +disabling the Transactional Synchronization Extensions (TSX) feature. + +A new MSR IA32_TSX_CTRL in future and current processors after a +microcode update can be used to control the TSX feature. There are two +bits in that MSR: + +* TSX_CTRL_RTM_DISABLE disables the TSX sub-feature Restricted +Transactional Memory (RTM). + +* TSX_CTRL_CPUID_CLEAR clears the RTM enumeration in CPUID. The other +TSX sub-feature, Hardware Lock Elision (HLE), is unconditionally +disabled with updated microcode but still enumerated as present by +CPUID(EAX=7).EBX{bit4}. + +The second mitigation approach is similar to MDS which is clearing the +affected CPU buffers on return to user space and when entering a guest. +Relevant microcode update is required for the mitigation to work. More +details on this approach can be found here: + + https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html + +The TSX feature can be controlled by the "tsx" command line parameter. +If it is force-enabled then "Clear CPU buffers" (MDS mitigation) is +deployed. The effective mitigation state can be read from sysfs. + + [ bp: + - massage + comments cleanup + - s/TAA_MITIGATION_TSX_DISABLE/TAA_MITIGATION_TSX_DISABLED/g - Josh. + - remove partial TAA mitigation in update_mds_branch_idle() - Josh. + - s/tsx_async_abort_cmdline/tsx_async_abort_parse_cmdline/g + ] + +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +Signed-off-by: Thomas Gleixner +Reviewed-by: Josh Poimboeuf +[bwh: Backported to 4.4: + - Add #include "cpu.h" in bugs.c + - Drop __ro_after_init attribute + - Drop "nosmt" support + - Adjust context, indentation] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/msr-index.h | 4 + + arch/x86/include/asm/nospec-branch.h | 4 - + arch/x86/include/asm/processor.h | 7 ++ + arch/x86/kernel/cpu/bugs.c | 103 +++++++++++++++++++++++++++++++++++ + arch/x86/kernel/cpu/common.c | 15 +++++ + 6 files changed, 132 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/cpufeatures.h ++++ b/arch/x86/include/asm/cpufeatures.h +@@ -340,5 +340,6 @@ + #define X86_BUG_MDS X86_BUG(19) /* CPU is affected by Microarchitectural data sampling */ + #define X86_BUG_MSBDS_ONLY X86_BUG(20) /* CPU is only affected by the MSDBS variant of BUG_MDS */ + #define X86_BUG_SWAPGS X86_BUG(21) /* CPU is affected by speculation through SWAPGS */ ++#define X86_BUG_TAA X86_BUG(22) /* CPU is affected by TSX Async Abort(TAA) */ + + #endif /* _ASM_X86_CPUFEATURES_H */ +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -72,6 +72,10 @@ + * Sampling (MDS) vulnerabilities. + */ + #define ARCH_CAP_TSX_CTRL_MSR BIT(7) /* MSR for TSX control is available. */ ++#define ARCH_CAP_TAA_NO BIT(8) /* ++ * Not susceptible to ++ * TSX Async Abort (TAA) vulnerabilities. ++ */ + + #define MSR_IA32_BBL_CR_CTL 0x00000119 + #define MSR_IA32_BBL_CR_CTL3 0x0000011e +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -268,7 +268,7 @@ DECLARE_STATIC_KEY_FALSE(mds_idle_clear) + #include + + /** +- * mds_clear_cpu_buffers - Mitigation for MDS vulnerability ++ * mds_clear_cpu_buffers - Mitigation for MDS and TAA vulnerability + * + * This uses the otherwise unused and obsolete VERW instruction in + * combination with microcode which triggers a CPU buffer flush when the +@@ -291,7 +291,7 @@ static inline void mds_clear_cpu_buffers + } + + /** +- * mds_user_clear_cpu_buffers - Mitigation for MDS vulnerability ++ * mds_user_clear_cpu_buffers - Mitigation for MDS and TAA vulnerability + * + * Clear CPU buffers if the corresponding static key is enabled + */ +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -852,4 +852,11 @@ enum mds_mitigations { + MDS_MITIGATION_VMWERV, + }; + ++enum taa_mitigations { ++ TAA_MITIGATION_OFF, ++ TAA_MITIGATION_UCODE_NEEDED, ++ TAA_MITIGATION_VERW, ++ TAA_MITIGATION_TSX_DISABLED, ++}; ++ + #endif /* _ASM_X86_PROCESSOR_H */ +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -30,11 +30,14 @@ + #include + #include + ++#include "cpu.h" ++ + static void __init spectre_v1_select_mitigation(void); + static void __init spectre_v2_select_mitigation(void); + static void __init ssb_select_mitigation(void); + static void __init l1tf_select_mitigation(void); + static void __init mds_select_mitigation(void); ++static void __init taa_select_mitigation(void); + + /* The base value of the SPEC_CTRL MSR that always has to be preserved. */ + u64 x86_spec_ctrl_base; +@@ -94,6 +97,7 @@ void __init check_bugs(void) + ssb_select_mitigation(); + l1tf_select_mitigation(); + mds_select_mitigation(); ++ taa_select_mitigation(); + + arch_smt_update(); + +@@ -247,6 +251,93 @@ static int __init mds_cmdline(char *str) + early_param("mds", mds_cmdline); + + #undef pr_fmt ++#define pr_fmt(fmt) "TAA: " fmt ++ ++/* Default mitigation for TAA-affected CPUs */ ++static enum taa_mitigations taa_mitigation = TAA_MITIGATION_VERW; ++ ++static const char * const taa_strings[] = { ++ [TAA_MITIGATION_OFF] = "Vulnerable", ++ [TAA_MITIGATION_UCODE_NEEDED] = "Vulnerable: Clear CPU buffers attempted, no microcode", ++ [TAA_MITIGATION_VERW] = "Mitigation: Clear CPU buffers", ++ [TAA_MITIGATION_TSX_DISABLED] = "Mitigation: TSX disabled", ++}; ++ ++static void __init taa_select_mitigation(void) ++{ ++ u64 ia32_cap; ++ ++ if (!boot_cpu_has_bug(X86_BUG_TAA)) { ++ taa_mitigation = TAA_MITIGATION_OFF; ++ return; ++ } ++ ++ /* TSX previously disabled by tsx=off */ ++ if (!boot_cpu_has(X86_FEATURE_RTM)) { ++ taa_mitigation = TAA_MITIGATION_TSX_DISABLED; ++ goto out; ++ } ++ ++ if (cpu_mitigations_off()) { ++ taa_mitigation = TAA_MITIGATION_OFF; ++ return; ++ } ++ ++ /* TAA mitigation is turned off on the cmdline (tsx_async_abort=off) */ ++ if (taa_mitigation == TAA_MITIGATION_OFF) ++ goto out; ++ ++ if (boot_cpu_has(X86_FEATURE_MD_CLEAR)) ++ taa_mitigation = TAA_MITIGATION_VERW; ++ else ++ taa_mitigation = TAA_MITIGATION_UCODE_NEEDED; ++ ++ /* ++ * VERW doesn't clear the CPU buffers when MD_CLEAR=1 and MDS_NO=1. ++ * A microcode update fixes this behavior to clear CPU buffers. It also ++ * adds support for MSR_IA32_TSX_CTRL which is enumerated by the ++ * ARCH_CAP_TSX_CTRL_MSR bit. ++ * ++ * On MDS_NO=1 CPUs if ARCH_CAP_TSX_CTRL_MSR is not set, microcode ++ * update is required. ++ */ ++ ia32_cap = x86_read_arch_cap_msr(); ++ if ( (ia32_cap & ARCH_CAP_MDS_NO) && ++ !(ia32_cap & ARCH_CAP_TSX_CTRL_MSR)) ++ taa_mitigation = TAA_MITIGATION_UCODE_NEEDED; ++ ++ /* ++ * TSX is enabled, select alternate mitigation for TAA which is ++ * the same as MDS. Enable MDS static branch to clear CPU buffers. ++ * ++ * For guests that can't determine whether the correct microcode is ++ * present on host, enable the mitigation for UCODE_NEEDED as well. ++ */ ++ static_branch_enable(&mds_user_clear); ++ ++out: ++ pr_info("%s\n", taa_strings[taa_mitigation]); ++} ++ ++static int __init tsx_async_abort_parse_cmdline(char *str) ++{ ++ if (!boot_cpu_has_bug(X86_BUG_TAA)) ++ return 0; ++ ++ if (!str) ++ return -EINVAL; ++ ++ if (!strcmp(str, "off")) { ++ taa_mitigation = TAA_MITIGATION_OFF; ++ } else if (!strcmp(str, "full")) { ++ taa_mitigation = TAA_MITIGATION_VERW; ++ } ++ ++ return 0; ++} ++early_param("tsx_async_abort", tsx_async_abort_parse_cmdline); ++ ++#undef pr_fmt + #define pr_fmt(fmt) "Spectre V1 : " fmt + + enum spectre_v1_mitigation { +@@ -758,6 +849,7 @@ static void update_mds_branch_idle(void) + } + + #define MDS_MSG_SMT "MDS CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html for more details.\n" ++#define TAA_MSG_SMT "TAA CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html for more details.\n" + + void arch_smt_update(void) + { +@@ -790,6 +882,17 @@ void arch_smt_update(void) + break; + } + ++ switch (taa_mitigation) { ++ case TAA_MITIGATION_VERW: ++ case TAA_MITIGATION_UCODE_NEEDED: ++ if (sched_smt_active()) ++ pr_warn_once(TAA_MSG_SMT); ++ break; ++ case TAA_MITIGATION_TSX_DISABLED: ++ case TAA_MITIGATION_OFF: ++ break; ++ } ++ + mutex_unlock(&spec_ctrl_mutex); + } + +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -954,6 +954,21 @@ static void __init cpu_set_bug_bits(stru + if (!cpu_matches(NO_SWAPGS)) + setup_force_cpu_bug(X86_BUG_SWAPGS); + ++ /* ++ * When the CPU is not mitigated for TAA (TAA_NO=0) set TAA bug when: ++ * - TSX is supported or ++ * - TSX_CTRL is present ++ * ++ * TSX_CTRL check is needed for cases when TSX could be disabled before ++ * the kernel boot e.g. kexec. ++ * TSX_CTRL check alone is not sufficient for cases when the microcode ++ * update is not present or running as guest that don't get TSX_CTRL. ++ */ ++ if (!(ia32_cap & ARCH_CAP_TAA_NO) && ++ (cpu_has(c, X86_FEATURE_RTM) || ++ (ia32_cap & ARCH_CAP_TSX_CTRL_MSR))) ++ setup_force_cpu_bug(X86_BUG_TAA); ++ + if (cpu_matches(NO_MELTDOWN)) + return; + diff --git a/queue-4.4/x86-speculation-taa-add-sysfs-reporting-for-tsx-async-abort.patch b/queue-4.4/x86-speculation-taa-add-sysfs-reporting-for-tsx-async-abort.patch new file mode 100644 index 00000000000..bc0d8be4319 --- /dev/null +++ b/queue-4.4/x86-speculation-taa-add-sysfs-reporting-for-tsx-async-abort.patch @@ -0,0 +1,119 @@ +From foo@baz Fri 15 Nov 2019 11:09:57 AM CST +From: Pawan Gupta +Date: Wed, 23 Oct 2019 12:19:51 +0200 +Subject: x86/speculation/taa: Add sysfs reporting for TSX Async Abort + +From: Pawan Gupta + +commit 6608b45ac5ecb56f9e171252229c39580cc85f0f upstream. + +Add the sysfs reporting file for TSX Async Abort. It exposes the +vulnerability and the mitigation state similar to the existing files for +the other hardware vulnerabilities. + +Sysfs file path is: +/sys/devices/system/cpu/vulnerabilities/tsx_async_abort + +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +Signed-off-by: Thomas Gleixner +Tested-by: Neelima Krishnan +Reviewed-by: Mark Gross +Reviewed-by: Tony Luck +Reviewed-by: Greg Kroah-Hartman +Reviewed-by: Josh Poimboeuf +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/bugs.c | 23 +++++++++++++++++++++++ + drivers/base/cpu.c | 9 +++++++++ + include/linux/cpu.h | 3 +++ + 3 files changed, 35 insertions(+) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -1300,6 +1300,21 @@ static ssize_t mds_show_state(char *buf) + sched_smt_active() ? "vulnerable" : "disabled"); + } + ++static ssize_t tsx_async_abort_show_state(char *buf) ++{ ++ if ((taa_mitigation == TAA_MITIGATION_TSX_DISABLED) || ++ (taa_mitigation == TAA_MITIGATION_OFF)) ++ return sprintf(buf, "%s\n", taa_strings[taa_mitigation]); ++ ++ if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) { ++ return sprintf(buf, "%s; SMT Host state unknown\n", ++ taa_strings[taa_mitigation]); ++ } ++ ++ return sprintf(buf, "%s; SMT %s\n", taa_strings[taa_mitigation], ++ sched_smt_active() ? "vulnerable" : "disabled"); ++} ++ + static char *stibp_state(void) + { + if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) +@@ -1365,6 +1380,9 @@ static ssize_t cpu_show_common(struct de + case X86_BUG_MDS: + return mds_show_state(buf); + ++ case X86_BUG_TAA: ++ return tsx_async_abort_show_state(buf); ++ + default: + break; + } +@@ -1401,4 +1419,9 @@ ssize_t cpu_show_mds(struct device *dev, + { + return cpu_show_common(dev, attr, buf, X86_BUG_MDS); + } ++ ++ssize_t cpu_show_tsx_async_abort(struct device *dev, struct device_attribute *attr, char *buf) ++{ ++ return cpu_show_common(dev, attr, buf, X86_BUG_TAA); ++} + #endif +--- a/drivers/base/cpu.c ++++ b/drivers/base/cpu.c +@@ -536,12 +536,20 @@ ssize_t __weak cpu_show_mds(struct devic + return sprintf(buf, "Not affected\n"); + } + ++ssize_t __weak cpu_show_tsx_async_abort(struct device *dev, ++ struct device_attribute *attr, ++ char *buf) ++{ ++ return sprintf(buf, "Not affected\n"); ++} ++ + static DEVICE_ATTR(meltdown, 0444, cpu_show_meltdown, NULL); + static DEVICE_ATTR(spectre_v1, 0444, cpu_show_spectre_v1, NULL); + static DEVICE_ATTR(spectre_v2, 0444, cpu_show_spectre_v2, NULL); + static DEVICE_ATTR(spec_store_bypass, 0444, cpu_show_spec_store_bypass, NULL); + static DEVICE_ATTR(l1tf, 0444, cpu_show_l1tf, NULL); + static DEVICE_ATTR(mds, 0444, cpu_show_mds, NULL); ++static DEVICE_ATTR(tsx_async_abort, 0444, cpu_show_tsx_async_abort, NULL); + + static struct attribute *cpu_root_vulnerabilities_attrs[] = { + &dev_attr_meltdown.attr, +@@ -550,6 +558,7 @@ static struct attribute *cpu_root_vulner + &dev_attr_spec_store_bypass.attr, + &dev_attr_l1tf.attr, + &dev_attr_mds.attr, ++ &dev_attr_tsx_async_abort.attr, + NULL + }; + +--- a/include/linux/cpu.h ++++ b/include/linux/cpu.h +@@ -52,6 +52,9 @@ extern ssize_t cpu_show_l1tf(struct devi + struct device_attribute *attr, char *buf); + extern ssize_t cpu_show_mds(struct device *dev, + struct device_attribute *attr, char *buf); ++extern ssize_t cpu_show_tsx_async_abort(struct device *dev, ++ struct device_attribute *attr, ++ char *buf); + + extern __printf(4, 5) + struct device *cpu_device_create(struct device *parent, void *drvdata, diff --git a/queue-4.4/x86-speculation-taa-fix-printing-of-taa_msg_smt-on-ibrs_all-cpus.patch b/queue-4.4/x86-speculation-taa-fix-printing-of-taa_msg_smt-on-ibrs_all-cpus.patch new file mode 100644 index 00000000000..8382266e6d3 --- /dev/null +++ b/queue-4.4/x86-speculation-taa-fix-printing-of-taa_msg_smt-on-ibrs_all-cpus.patch @@ -0,0 +1,49 @@ +From foo@baz Fri 15 Nov 2019 11:09:57 AM CST +From: Josh Poimboeuf +Date: Wed, 6 Nov 2019 20:26:46 -0600 +Subject: x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs + +From: Josh Poimboeuf + +commit 012206a822a8b6ac09125bfaa210a95b9eb8f1c1 upstream. + +For new IBRS_ALL CPUs, the Enhanced IBRS check at the beginning of +cpu_bugs_smt_update() causes the function to return early, unintentionally +skipping the MDS and TAA logic. + +This is not a problem for MDS, because there appears to be no overlap +between IBRS_ALL and MDS-affected CPUs. So the MDS mitigation would be +disabled and nothing would need to be done in this function anyway. + +But for TAA, the TAA_MSG_SMT string will never get printed on Cascade +Lake and newer. + +The check is superfluous anyway: when 'spectre_v2_enabled' is +SPECTRE_V2_IBRS_ENHANCED, 'spectre_v2_user' is always +SPECTRE_V2_USER_NONE, and so the 'spectre_v2_user' switch statement +handles it appropriately by doing nothing. So just remove the check. + +Fixes: 1b42f017415b ("x86/speculation/taa: Add mitigation for TSX Async Abort") +Signed-off-by: Josh Poimboeuf +Signed-off-by: Thomas Gleixner +Reviewed-by: Tyler Hicks +Reviewed-by: Borislav Petkov +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/bugs.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -853,10 +853,6 @@ static void update_mds_branch_idle(void) + + void arch_smt_update(void) + { +- /* Enhanced IBRS implies STIBP. No update required. */ +- if (spectre_v2_enabled == SPECTRE_V2_IBRS_ENHANCED) +- return; +- + mutex_lock(&spec_ctrl_mutex); + + switch (spectre_v2_user) { diff --git a/queue-4.4/x86-tsx-add-auto-option-to-the-tsx-cmdline-parameter.patch b/queue-4.4/x86-tsx-add-auto-option-to-the-tsx-cmdline-parameter.patch new file mode 100644 index 00000000000..024f5005e50 --- /dev/null +++ b/queue-4.4/x86-tsx-add-auto-option-to-the-tsx-cmdline-parameter.patch @@ -0,0 +1,66 @@ +From foo@baz Fri 15 Nov 2019 11:09:57 AM CST +From: Pawan Gupta +Date: Wed, 23 Oct 2019 12:28:57 +0200 +Subject: x86/tsx: Add "auto" option to the tsx= cmdline parameter + +From: Pawan Gupta + +commit 7531a3596e3272d1f6841e0d601a614555dc6b65 upstream. + +Platforms which are not affected by X86_BUG_TAA may want the TSX feature +enabled. Add "auto" option to the TSX cmdline parameter. When tsx=auto +disable TSX when X86_BUG_TAA is present, otherwise enable TSX. + +More details on X86_BUG_TAA can be found here: +https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html + + [ bp: Extend the arg buffer to accommodate "auto\0". ] + +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +Signed-off-by: Thomas Gleixner +Reviewed-by: Tony Luck +Reviewed-by: Josh Poimboeuf +[bwh: Backported to 4.4: adjust filename] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/kernel-parameters.txt | 3 +++ + arch/x86/kernel/cpu/tsx.c | 7 ++++++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -4073,6 +4073,9 @@ bytes respectively. Such letter suffixes + update. This new MSR allows for the reliable + deactivation of the TSX functionality.) + ++ auto - Disable TSX if X86_BUG_TAA is present, ++ otherwise enable TSX on the system. ++ + Not specifying this option is equivalent to tsx=off. + + See Documentation/hw-vuln/tsx_async_abort.rst +--- a/arch/x86/kernel/cpu/tsx.c ++++ b/arch/x86/kernel/cpu/tsx.c +@@ -75,7 +75,7 @@ static bool __init tsx_ctrl_is_supported + + void __init tsx_init(void) + { +- char arg[4] = {}; ++ char arg[5] = {}; + int ret; + + if (!tsx_ctrl_is_supported()) +@@ -87,6 +87,11 @@ void __init tsx_init(void) + tsx_ctrl_state = TSX_CTRL_ENABLE; + } else if (!strcmp(arg, "off")) { + tsx_ctrl_state = TSX_CTRL_DISABLE; ++ } else if (!strcmp(arg, "auto")) { ++ if (boot_cpu_has_bug(X86_BUG_TAA)) ++ tsx_ctrl_state = TSX_CTRL_DISABLE; ++ else ++ tsx_ctrl_state = TSX_CTRL_ENABLE; + } else { + tsx_ctrl_state = TSX_CTRL_DISABLE; + pr_err("tsx: invalid option, defaulting to off\n"); diff --git a/queue-4.4/x86-tsx-add-config-options-to-set-tsx-on-off-auto.patch b/queue-4.4/x86-tsx-add-config-options-to-set-tsx-on-off-auto.patch new file mode 100644 index 00000000000..b94e2f2cc09 --- /dev/null +++ b/queue-4.4/x86-tsx-add-config-options-to-set-tsx-on-off-auto.patch @@ -0,0 +1,137 @@ +From foo@baz Fri 15 Nov 2019 11:09:57 AM CST +From: Michal Hocko +Date: Wed, 23 Oct 2019 12:35:50 +0200 +Subject: x86/tsx: Add config options to set tsx=on|off|auto + +From: Michal Hocko + +commit db616173d787395787ecc93eef075fa975227b10 upstream. + +There is a general consensus that TSX usage is not largely spread while +the history shows there is a non trivial space for side channel attacks +possible. Therefore the tsx is disabled by default even on platforms +that might have a safe implementation of TSX according to the current +knowledge. This is a fair trade off to make. + +There are, however, workloads that really do benefit from using TSX and +updating to a newer kernel with TSX disabled might introduce a +noticeable regressions. This would be especially a problem for Linux +distributions which will provide TAA mitigations. + +Introduce config options X86_INTEL_TSX_MODE_OFF, X86_INTEL_TSX_MODE_ON +and X86_INTEL_TSX_MODE_AUTO to control the TSX feature. The config +setting can be overridden by the tsx cmdline options. + + [ bp: Text cleanups from Josh. ] + +Suggested-by: Borislav Petkov +Signed-off-by: Michal Hocko +Signed-off-by: Pawan Gupta +Signed-off-by: Borislav Petkov +Signed-off-by: Thomas Gleixner +Reviewed-by: Josh Poimboeuf +[bwh: Backported to 4.4: adjust doc filename] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/Kconfig | 45 +++++++++++++++++++++++++++++++++++++++++++++ + arch/x86/kernel/cpu/tsx.c | 22 ++++++++++++++++------ + 2 files changed, 61 insertions(+), 6 deletions(-) + +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1695,6 +1695,51 @@ config X86_INTEL_MPX + + If unsure, say N. + ++choice ++ prompt "TSX enable mode" ++ depends on CPU_SUP_INTEL ++ default X86_INTEL_TSX_MODE_OFF ++ help ++ Intel's TSX (Transactional Synchronization Extensions) feature ++ allows to optimize locking protocols through lock elision which ++ can lead to a noticeable performance boost. ++ ++ On the other hand it has been shown that TSX can be exploited ++ to form side channel attacks (e.g. TAA) and chances are there ++ will be more of those attacks discovered in the future. ++ ++ Therefore TSX is not enabled by default (aka tsx=off). An admin ++ might override this decision by tsx=on the command line parameter. ++ Even with TSX enabled, the kernel will attempt to enable the best ++ possible TAA mitigation setting depending on the microcode available ++ for the particular machine. ++ ++ This option allows to set the default tsx mode between tsx=on, =off ++ and =auto. See Documentation/kernel-parameters.txt for more ++ details. ++ ++ Say off if not sure, auto if TSX is in use but it should be used on safe ++ platforms or on if TSX is in use and the security aspect of tsx is not ++ relevant. ++ ++config X86_INTEL_TSX_MODE_OFF ++ bool "off" ++ help ++ TSX is disabled if possible - equals to tsx=off command line parameter. ++ ++config X86_INTEL_TSX_MODE_ON ++ bool "on" ++ help ++ TSX is always enabled on TSX capable HW - equals the tsx=on command ++ line parameter. ++ ++config X86_INTEL_TSX_MODE_AUTO ++ bool "auto" ++ help ++ TSX is enabled on TSX capable HW that is believed to be safe against ++ side channel attacks- equals the tsx=auto command line parameter. ++endchoice ++ + config EFI + bool "EFI runtime service support" + depends on ACPI +--- a/arch/x86/kernel/cpu/tsx.c ++++ b/arch/x86/kernel/cpu/tsx.c +@@ -73,6 +73,14 @@ static bool __init tsx_ctrl_is_supported + return !!(ia32_cap & ARCH_CAP_TSX_CTRL_MSR); + } + ++static enum tsx_ctrl_states x86_get_tsx_auto_mode(void) ++{ ++ if (boot_cpu_has_bug(X86_BUG_TAA)) ++ return TSX_CTRL_DISABLE; ++ ++ return TSX_CTRL_ENABLE; ++} ++ + void __init tsx_init(void) + { + char arg[5] = {}; +@@ -88,17 +96,19 @@ void __init tsx_init(void) + } else if (!strcmp(arg, "off")) { + tsx_ctrl_state = TSX_CTRL_DISABLE; + } else if (!strcmp(arg, "auto")) { +- if (boot_cpu_has_bug(X86_BUG_TAA)) +- tsx_ctrl_state = TSX_CTRL_DISABLE; +- else +- tsx_ctrl_state = TSX_CTRL_ENABLE; ++ tsx_ctrl_state = x86_get_tsx_auto_mode(); + } else { + tsx_ctrl_state = TSX_CTRL_DISABLE; + pr_err("tsx: invalid option, defaulting to off\n"); + } + } else { +- /* tsx= not provided, defaulting to off */ +- tsx_ctrl_state = TSX_CTRL_DISABLE; ++ /* tsx= not provided */ ++ if (IS_ENABLED(CONFIG_X86_INTEL_TSX_MODE_AUTO)) ++ tsx_ctrl_state = x86_get_tsx_auto_mode(); ++ else if (IS_ENABLED(CONFIG_X86_INTEL_TSX_MODE_OFF)) ++ tsx_ctrl_state = TSX_CTRL_DISABLE; ++ else ++ tsx_ctrl_state = TSX_CTRL_ENABLE; + } + + if (tsx_ctrl_state == TSX_CTRL_DISABLE) { -- 2.47.3